SSRF-King – SSRF Plugin For Burp Automates SSRF Detection In All Of The Request

SSRF plugin for burp that Automates SSRF Detection in all of the Request

Upcoming Features Checklist

• It will soon have a user Interface to specifiy your own call back payload
• It will soon be able to test Json & XML
• Test for SMTP SSRF

How to Install/Build

• git clone https://github.com/ethicalhackingplayground/ssrf-king
• gradle build
• Now the file “ssrf-king.jar” could be found under build/libs which can then be imported Burpsuite.
• Alternatively, goto releases to download the compiled file.

Features

• Test all of the request for any external interactions.
• Checks to see if any interactions are not the users IP if it is, it’s an open redirect.
• Alerts the user for any external interactions with information such as:
  • Endpoint Vulnerable
  • Host
  • Location Found

It also performs the following tests based on this research:

Reference:

https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface

GET http://burpcollab/some/endpoint HTTP/1.1
Host: example.com
...

and

GET @burpcollab/some/endpoint HTTP/1.1
Host: example.com
...

and

GET /some/endpoint HTTP/1.1
Host: example.com:80@burpcollab
...

and

GET /some/endpoint HTTP/1.1
Host: burpcollab
...

and

GET /some/endpoint HTTP/1.1
Host: example.com
X-Forwarded-Host: burpcollab
...

Scanning Options

• Supports Both Passive & Active Scanning.

Example

• Load the website you want to test.

• Add it as an inscope host in burp.

• Load the plugin.

• Keep note of the Burp Collab Payload.

• Passively crawl the page, ssrf-king test everything in the request on the fly.

• When it finds a vulnerabilitiy it logs the information and adds an alert.

From here onwards you would fuzz the parameter to test for SSRF.

Video Demonstration

Print Share Comment Cite Upload Translate

APA

() » SSRF-King – SSRF Plugin For Burp Automates SSRF Detection In All Of The Request. Retrieved from https://www.truth.cx/2021/01/30/ssrf-king-ssrf-plugin-for-burp-automates-ssrf-detection-in-all-of-the-request/.

MLA

" » SSRF-King – SSRF Plugin For Burp Automates SSRF Detection In All Of The Request." - , https://www.truth.cx/2021/01/30/ssrf-king-ssrf-plugin-for-burp-automates-ssrf-detection-in-all-of-the-request/

HARVARD

» SSRF-King – SSRF Plugin For Burp Automates SSRF Detection In All Of The Request., viewed ,

VANCOUVER

- » SSRF-King – SSRF Plugin For Burp Automates SSRF Detection In All Of The Request. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2021/01/30/ssrf-king-ssrf-plugin-for-burp-automates-ssrf-detection-in-all-of-the-request/

CHICAGO

" » SSRF-King – SSRF Plugin For Burp Automates SSRF Detection In All Of The Request." - Accessed . https://www.truth.cx/2021/01/30/ssrf-king-ssrf-plugin-for-burp-automates-ssrf-detection-in-all-of-the-request/

IEEE

" » SSRF-King – SSRF Plugin For Burp Automates SSRF Detection In All Of The Request." [Online]. Available: https://www.truth.cx/2021/01/30/ssrf-king-ssrf-plugin-for-burp-automates-ssrf-detection-in-all-of-the-request/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ymhNs5fYcag/YA5LTvaK5UI/AAAAAAAAVJY/CrZ72KkebMIkKAxhTFLh8NV83Gmm8GJ6ACNcBGAsYHQ/s1280/ssrf-king_11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="720" data-original-width="1280" height="360" src="https://1.bp.blogspot.com/-ymhNs5fYcag/YA5LTvaK5UI/AAAAAAAAVJY/CrZ72KkebMIkKAxhTFLh8NV83Gmm8GJ6ACNcBGAsYHQ/w640-h360/ssrf-king_11.png" width="640" /></a></div><p><br /></p> <p>SSRF <a href="https://www.kitploit.com/search/label/Plugin" title="plugin">plugin</a> for burp that Automates SSRF Detection in all of the Request</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Upcoming Features Checklist</b></span><br /> <ul> <li><div>It will soon have a user Interface to specifiy your own call back payload</div></li> <li>It will soon be able to test Json & XML</li> <li>Test for SMTP SSRF</li> </ul> <br /><span style="font-size: large;"><b>How to Install/Build</b></span><br /> <ul> <li><code>git clone https://github.com/ethicalhackingplayground/ssrf-king</code></li> <li><code>gradle build</code></li> <li>Now the file "ssrf-king.jar" could be found under build/libs which can then be imported Burpsuite.</li> <li>Alternatively, goto <a href="https://github.com/ethicalhackingplayground/ssrf-king/releases" rel="nofollow" title="releases">releases</a> to download the compiled file.</li> </ul> <br /><span style="font-size: large;"><b>Features</b></span><br /> <ul> <li><div>Test all of the request for any external interactions.</div></li> <li><div>Checks to see if any interactions are not the users IP if it is, it's an open redirect.</div></li> <li><div>Alerts the user for any external interactions with information such as:</div><ul> <li>Endpoint Vulnerable</li> <li>Host</li> <li>Location Found</li> </ul> </li> </ul> <p>It also performs the following tests based on this research:</p> <p><strong>Reference:</strong></p> <p><a href="https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface" rel="nofollow" title="https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface">https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface</a></p> <div><pre><code>GET http://burpcollab/some/endpoint HTTP/1.1<br />Host: example.com<br />...</code></pre></div> <p>and</p> <div><pre><code>GET @burpcollab/some/endpoint HTTP/1.1<br />Host: example.com<br />...</code></pre></div> <p>and</p> <div><pre><code>GET /some/endpoint HTTP/1.1<br />Host: example.com:80@burpcollab<br />...</code></pre></div> <p>and</p> <div><pre><code>GET /some/endpoint HTTP/1.1<br />Host: burpcollab<br />...</code></pre></div> <p>and</p> <div><pre><code>GET /some/endpoint HTTP/1.1<br />Host: example.com<br />X-Forwarded-Host: burpcollab<br />...</code></pre></div> <br /><span style="font-size: large;"><b>Scanning Options</b></span><br /> <ul> <li><div>Supports Both Passive & Active Scanning.</div></li> </ul> <br /><span style="font-size: large;"><b>Example</b></span><br /> <ul> <li>Load the <a href="https://www.kitploit.com/search/label/Website" title="website">website</a> you want to test.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-RbVY6QWMx9k/YA5KW84YMFI/AAAAAAAAVIg/yt5xtpqwjkwndCB9RubZEHmsEJpgri_uACNcBGAsYHQ/s1874/ssrf-king_4_ss-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="934" data-original-width="1874" height="318" src="https://1.bp.blogspot.com/-RbVY6QWMx9k/YA5KW84YMFI/AAAAAAAAVIg/yt5xtpqwjkwndCB9RubZEHmsEJpgri_uACNcBGAsYHQ/w640-h318/ssrf-king_4_ss-1.png" width="640" /></a></div><p><br /></p> <ul> <li>Add it as an inscope host in burp.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-iBItPuI4UMo/YA5Kd0DypUI/AAAAAAAAVIk/JafkpszpFS0len2nODSNvR5KVHWL4OAiACNcBGAsYHQ/s920/ssrf-king_5_ss-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="798" data-original-width="920" height="556" src="https://1.bp.blogspot.com/-iBItPuI4UMo/YA5Kd0DypUI/AAAAAAAAVIk/JafkpszpFS0len2nODSNvR5KVHWL4OAiACNcBGAsYHQ/w640-h556/ssrf-king_5_ss-2.png" width="640" /></a></div><p><br /></p> <ul> <li>Load the plugin.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-elT76q4O_rc/YA5KjcFyHSI/AAAAAAAAVIo/11B0DO9frNICjPvAt0hMomU-DkyE0oDBQCNcBGAsYHQ/s1503/ssrf-king_6_ss-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="913" data-original-width="1503" height="388" src="https://1.bp.blogspot.com/-elT76q4O_rc/YA5KjcFyHSI/AAAAAAAAVIo/11B0DO9frNICjPvAt0hMomU-DkyE0oDBQCNcBGAsYHQ/w640-h388/ssrf-king_6_ss-3.png" width="640" /></a></div><p><br /></p> <ul> <li>Keep note of the <a href="https://www.kitploit.com/search/label/Burp" title="Burp">Burp</a> Collab Payload.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-F_k9CJG-Tiw/YA5Kpcvbv1I/AAAAAAAAVIw/TKObjF5Xl7o25U9L1Pb2RhS5BvvrkP1vwCNcBGAsYHQ/s676/ssrf-king_7_ss-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="676" height="410" src="https://1.bp.blogspot.com/-F_k9CJG-Tiw/YA5Kpcvbv1I/AAAAAAAAVIw/TKObjF5Xl7o25U9L1Pb2RhS5BvvrkP1vwCNcBGAsYHQ/w640-h410/ssrf-king_7_ss-4.png" width="640" /></a></div><p><br /></p> <ul> <li>Passively crawl the page, ssrf-king test everything in the request on the fly.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-hSEeslkvYFw/YA5Kva0KNFI/AAAAAAAAVI4/fxhT1uqqNrAwicfCeu1uiRpGNedItLNNACNcBGAsYHQ/s1844/ssrf-king_8_ssf-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="927" data-original-width="1844" height="322" src="https://1.bp.blogspot.com/-hSEeslkvYFw/YA5Kva0KNFI/AAAAAAAAVI4/fxhT1uqqNrAwicfCeu1uiRpGNedItLNNACNcBGAsYHQ/w640-h322/ssrf-king_8_ssf-5.png" width="640" /></a></div><p><br /></p> <ul> <li>When it finds a vulnerabilitiy it logs the information and adds an alert.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-GCW5_dRVXKg/YA5K0-NZrGI/AAAAAAAAVJA/j42lyFsPTEQ9EoRuFULCNtX57bAJj2yHQCNcBGAsYHQ/s1891/ssrf-king_9_ssrf-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="907" data-original-width="1891" height="306" src="https://1.bp.blogspot.com/-GCW5_dRVXKg/YA5K0-NZrGI/AAAAAAAAVJA/j42lyFsPTEQ9EoRuFULCNtX57bAJj2yHQCNcBGAsYHQ/w640-h306/ssrf-king_9_ssrf-6.png" width="640" /></a></div><p><br /></p> <p><strong>From here onwards you would <a href="https://www.kitploit.com/search/label/Fuzz" title="fuzz">fuzz</a> the parameter to test for SSRF.</strong></p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-pYBYAlJ8ZJQ/YA5K7a80zHI/AAAAAAAAVJI/qnEMKrZaXMQ5UkSugzNXJgGB87G80vM-gCNcBGAsYHQ/s1532/ssrf-king_10_ssrf-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="964" data-original-width="1532" height="402" src="https://1.bp.blogspot.com/-pYBYAlJ8ZJQ/YA5K7a80zHI/AAAAAAAAVJI/qnEMKrZaXMQ5UkSugzNXJgGB87G80vM-gCNcBGAsYHQ/w640-h402/ssrf-king_10_ssrf-7.png" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>Video Demonstration</b></span><br /> <p> </p><div style="text-align: center;"><iframe width="560" height="315" src="https://www.youtube.com/embed/oIkPpgqKfsg" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></div><div><br /></div><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/ethicalhackingplayground/ssrf-king" rel="nofollow" title="Download Ssrf-King">Download Ssrf-King</a></span></b></div><img src="http://feeds.feedburner.com/~r/PentestTools/~4/SCmtwxFTsHc" height="1" width="1" alt=""/> First name:

Last name: